pfSense_fan

I too am intrigued by OPNSense but my takeaway as well is that it is not quite where I need it to be. If I JUST needed a firewall, then my opinion might change, but I need a UTM (Unified Threat Management) pfBlockerNG with DNSBL, to me, is the best thing before or after sliced bread, and I would not be able to use OPNSense in the same way I have been accustomed to with pfSense. Using Ublock Origin or Adblock Plus is one thing for a browser, but everything else on a network is not afforded such protection. DNSBL allows that, and I have had days where my network blocked just shy of 50,000 requests for ad, tracker or otherwise less than reputable servers. It's eye opening seeing how active IoT (Internet of Things - web aware appliances/tv's/media players etc) and portable personal devices are. After setup it's all automated save for the occasional manual update to bring it back into sync. If I didn't need or feel safer with pfBlockerNG/DNSBL I would give OPNSense a go in a heartbeat. If you or someone else does not care to use packages such as that, I would say give it a go and let us know how it feels. Setup should be similar to pfSense.

I've never used windows server products so I'm not familiar with how they work, but I can give you an example of what I do on my network ( I don't use my own guide, my network is far more complicated) I use selective routing on some of my interfaces, that is, I have a computer or two on a VPN facing interface that also require limited or full clearnet access. I use static mappings for them and with that, have the alternate DNS served to them via that same static mapping. So that is one way. I assume (would hope) there is some similar way to control what your DHCP server hands out. Alternatively, you could use a port forwarding rule to redirect DNS from whatever IP address/range needs it. I use this method for NTP and DNS as some devices have them hard coded (Apple with NTP and many android devices for Google DNS). All that being said you also may be like me, and not able to get away with one DNS server. I use 3 currently. I have a server running multiple VM instances of pfSense as a dedicated DNS server. I use the built in forwarder to map all of the DHCP and static mappings and I point it at the other two instances that are running the Resolver so I can make use of its security features and pfBlockerNG/DNSBL. One resolver, the main one, points at AirVPN DNS. The other uses the root servers through the clearnet. By default everything goes to the VPN DNS, but Domain Overrides can be used to point them to the other. Wish I had a definitive answer for you but I don't. Any reason you don't use pfSense to control it all?

I changed both to what I intended. Thanks for the heads up. As an aside, only part of it was a typo. The rule names were intended to state where the traffic was destined, not just the interface. Reasoning being that you can use selective policy based routing on the same interfaces to send traffic out another gateway if desired. I chose not to explain policy based routing for a few reasons, the main being that it opens up Pandora's box for security issues if the user is a novice. Having separate interfaces is the proper way to do it from a security standpoint as the traffic between local networks is then filtered. Traffic only separated by a switch is not, and as such is why I push the use of three or more interfaces so users can properly separate and/or filter devices through the firewall. I bring it up as I have browsed the replies to this post and it seemed to be a recurring issue that folks were trying to connect the different subnets. It is by design and proper that they are blocked by default. Firewall rules need to be created to allow devices behind one interface to access services on another. I left this out as it is outside the scope of what this was intended to be, and making rules to allow such access is well documented at the pfSense forums. All this being said, this guide is bordering being out dated. If I can find the free time I will update the last bits such as the resolver config and other small bits before allowing this to be archived for those who do not update to pfSense 2.3 right away. I am considering making a heavily updated guide for 2.3.

Unfortunately it's not at all this simple. When you visit netflix, it makes requests to other netflix owned domains such as nflximg.com, nflximg.net, nflxext.com and so on. These domains themselves further resolve to further yet more netflix owned domains AND some other non netflix owned domains. The trick is, you need all of the requests to route outside the VPN. I have been playing with this in my free time and have gotten it to work for periods, so I am yet missing something. First things first you need to route all Netflix owned IP space. The best way to do this is with pfBlockerNG. You can simply enter in Netflix owned AS ip blocks. Those blocks right now are: ( reference ) - AS2906 - AS40027 - AS55095 - AS394406 Then you have to get everything else that further resolves, so you have to make an alias for all of the domains that get requested. Some non netflix ones that come up are NS1, NS2, NS3 and NS4.P19.DYNECT.NET Even if you manage to get all requests to run outside of the VPN, you still have to get the DNS requests for them to run outside, as the CDN's and name servers netflix use try to connect you to the closest CDN by your geoip. So if you have a dns request coming from New York and an ip from California it still does not like it. So now you need a second DNS server and the ability to overide the domains in the dns forwarder or resolver. It works better in the forwarder from what I have read, which is unfortunate as I use the DNS Blacklist with resolver and pfBlockerNG. So yeah it's not so simple, but it should be possible. I have a bunch of virtual machines running pfSense as dedicated DNS servers trying to work out the best config. Maybe as a community with enough minds we can figure this out.

I recalled someone posting to say they worked it out and I knew I bookmarked it. I have not tried this myself but here is the post. Edit: Just had to ask... have you tried the alternate entry and or ports? My isp throttles most, but a few slipped by them and it works fine without.

That's not it. I've been using Pidgin/XMPP/OTR for years. In fact, a number of us pfSense users communicated using it while we hashed out the guide I made. I can still log into other accounts I have.

Any updates or suggestions here? I am excited and eager to use this service and can not figure out what is going on. It says 403 forbidden no matter what i do.

Tried again, no luck still. Same as before altrhough it asked for my password in an additional step.

I tried that, says forbidden. ???

I'm having a bit of trouble getting this set up. When I try to login it says I am not authorized. I entered the info exactly as specified. Any suggestions?

They are PCI-e 2.0 and require a x4 slot. I own a number of these and the quad port version as well. A warning with those now older network cards, they are only compatible in PCI-expres 2.0 mode. If your bios does not have an option to run in that specific mode, it is a known issue with those cards that they may have compatibility issues. Most enterprise/server motherboards have this option, while many consumer level do not. Another consideration is that the PRO/1000 PT run quite hot. They can draw 12 watts on their own. The newer I350 only max at about 5. You will need a well ventilated case with fans for the PRO/1000's. The I350 runs much cooler. Unfortuanately the I350 costs much more at this point. This is why I recomend people buy server motherboards to build on. The price of these cards is silly really. The Rangeley Intel Atom boards have a quad port I350 variant on board. That motherboard which includes the 8 core processor and that quad port NIC is about $300-$350 depending where you look. $250-$300 if you opt for the quad core cpu version. A quad port I350 goes for $200 on ebay, $300+ retail. Rangeley also has a TDP rating of 20 watts as well. Food for thought. The PRO/1000's do work well though, it just kills me to see people piece together old parts that add up to near the price of newer, faster and more enrgy efficeint builds.

One question: the guide advises turning compression off, yet compression is turned on when setting up the OpenVPN client on DD-WRT amongst other configurations. Wouldn't turning this on increase efficiency and performance? What a great guide; it made setting up my new pfSense box very straightforward! Thanks ever so. It is not turned "off" actaully. The setting AirVPN uses is "comp-lzo no", and that option is set manually by us in the string you should be entering in the advanced box on the pfSense OpenVPN client page. "comp-lzo no" means compressionis off by default, but the connection can enable it if needed. Glad the guide helped.

I'm surprised there has been no answer to this question. I'm also surprised more users have not expressed interest in knowing this .I thought this would gain some traction. Staff can we please get a detailed answer as to these policies? Or perhaps a link to where they are previously stated if it has already been answered?

Edit: Thank You Staff! Don't post pics of the dashboards guys... private info! Take this down... PM me for assistance!

I'll assume you're talking about the auto negotiation of the port speed on the interface settings page? If yes, what intel NIC do you have? what drivers does it use? em0, em1 etc or is it igb0, igb1 etc? I may be able to toss a few extra, more specific tweaks your way. Also, are you using the IP fastforwarding sysctl tweak at the end of the guide?

ATTENTION! All those who follow this guide, please be advised... I just wanted to give everyone who follows this guide a heads up that in the next week or two i will be "ending support" for this guide as it now stands. Over the next few days I will be making some tweaks to the guide that will require everyone's attention if you want to have the tidiest and most functional setup while using the method I described here. If anyone has any questions or suggestions, now is the time to speak up. Although I will still be "around" here and there and will gladly help, I am moving on to bigger and better things. This guide works, but it could be better and I know that now. I don't however have the time to create a new one at this junction. I've spent a portion of each and every free day I've had over the last ten months researching and sharing what I've learned about this stuff. That is way more time than I ever imagined or intended, way too much time... and now life beckons. I no longer have free time to spare so I leave you all with this guide as it is, which should suffice at least until pfSense 2.2 comes out. I learned so much all along the way while making this guide. I hope you all did too!

Sorry, somehow I did not see this post and I had overlooked it earlier. I'm glad this guide has helped you, it's good to know it continues to help people. As for the question... if you follow the method listed here, yes (unfortunately) you need more than one switch. The idea was to isolate networks as much as possible for the beginner. It is possible to use a different method, which as of this week I am now using, that only requires one. I don't currently have the time to explain it, but I gave the gist of it in one of my recent posts in this thread. I am working on something new, as I will be announcing after this post. Again thank you! It's good to hear other feel I am explaining things well. Sometimes I struggle with words! Please take a moment to like any post that has helped or rate the topic for other to see/know if the information was useful. It also lets me know it was well received! Thanks! I use Comodo and not the Windows firewall, but I have no issues seeing services across subnets. If you monitor you firewall logs (you will want to have the logs show more than 50 lines, more like 1000. You will also want them to show newest on top) you will likely learn why. Off the top of my head you may be inadvertently blocking multicast. There is always a way, it will just require tinkering. Excellent choice on the year subscription! I'm on year two and have been pleased by the service the whole time.

You can do this and more with pfSense... either by following my guide for three or more NIC's or by using selective routing and some creativity with the LAN subnet mask. I have both clear net and VPN connectivity currently using multiple subnets for LAN (clear-net), VPN_LAN, XBOX (clear-net), VOIP (clear-net) and PRINTER (Local access only). I soon will be doing away with the separate subnets for LAN, VPN_LAN and XBOX. I likely will be using a subnet of 192.168.0.1 /18 (/24 is normal) which will give me an internal address range of 191.168.0.1 - 191.168.63.254 on my LAN. Then by creating outbound NAT rules for VPN traffic (lets say 192.168.10.1 /24) and clearnet traffic (say for instance 192.168.11.1 /24) that direct/NAT the outbound traffic to the correct gateway, I can use policy routing in my firewall rules to ensure correct and leak free vpn/clearnet usage. There are a few more steps involved with firewall rules, dhcp server and dns server settings as well as a few system settings but this is the gist of it. This may all sound confusing now, but point is... you can do this quite easily with pfSense. If you use good equipment you will also have the benefits of having no noticeable speed degradation through the VPN, strong network security, and you can even get into using Suricata or Snort if you are up to it.

I used snort for over a year on pfSense while connected to AirVPN (now using Suricata) and never had this issue. This begs the questions though... why use the Windows OpenVPN Client when you can use pfSense to connect instead? Your connection is safer using pfense as the OpenVPN client. Another thing to point out... unless you pay for bluetack, the free bluetack lists are a year to two years out dated. Bluetack became a premium service some time ago and the free lists have not been updated since. Also... reading up just now what a teardrop attack is, you most likely get that warning because your bootloader and system tunables are not optimized for your system. Really though, use pfSense as the OpenVPN client and this will go away.

How to get a machine on one subnet to communicate with a machine on another? If that is what you are asking, you need to make a firewall rule on the interface or each interface that is trying to communicate as a client to allow the communication across subnets. Making a networks alias makes this easier if you list all the local subnets you want to be able to communicate. I also use a ports alias and restrict communication on my local network to services I control. This following firewall rule is basic but should get you going if this is what you are trying to do. I use a rule like this to allow access to a network printer and a local DNS server For this we will assume you have a printer on your LAN that you want to access from the AirVPN_LAN: Set as follows: Action = [ Pass ▼] Disabled = [_] Disable this rule (UNCHECKED) Interface = [AirVPN_LAN ▼] TCP/IP Version = [iPv4 ▼] Protocol = [Any ▼] - TCP/UDP is also a consideration if you don't need pings. Best to only allow what you need. Source = [_] Not (UNCHECKED) Type: [ AirVPN_LAN net ▼] - (192.168.2.1 /24) Address: [______] (BLANK) Destination = [_] Not (UNCHECKED) Type: [ LAN net ▼] - (192.168.1.1 /24, or a local subnets networks alias) Address: [______] (BLANK) Destination port range = From: [Any▼], To: [Any▼] - (Or choose [ (other)▼] and enter a ports alias of ports you intend to use) Log = [_] - Your choice if you wish to log Description = [✎ Allow_Local_Services ] (NOTE: DO NOT, repeat DO NOT select a gateway in the advanced options. We don't want to route it out one since it is local traffic 3.) Click [ Save ] 4.) Click [ Apply Changes ] This rule MUST be placed directly above your allow all rule. Move the rule into place accordingly, save and apply changes. You will need to reboot after to make sure everything loads.

"Only router based on fast x86 cpu can do it." <--- Pretty much this. Being that you tried multiple ISP's, it's not likely the issue is your being throttled. It is far more likely an issue with the hardware. You don't necessarily need the fastest processor, but you will want one with hardware encryption acceleration, namely AES-NI. Let us know what hardware you are using to see if we can further help. Many serious users have moved into a platform such as pfSense. If you can afford to build a box, there are no comprimises with it if done right. Some users I have helped can max their 150Mb connections out minus the 10% OpenVPN overhead. I am on a 60/12 connection myself.

Your plan is victim to how OpenVPN interacts with the operating system. Each instance of OpenVPN client you run on pfSense creates its own unique virtual adapter (TUN/TAP interface). If you are trying to run a second instance OpenVPN client, your firewall rules and NAT are not compatible with the new second (likely ovpnc2) virtual interface as they are programmed for the first (ovpnc1). You would have to go through and set up the second interface, the new gateway, outbound NAT and create new firewall rules. There are people that have suggested gateway and interfaces groups etc... but I find all that to be a bit excessive. If you want to switch, just change the remote IP of the original client, it really is the easiest way. To make switching easier, you can save a list of IP addresses at the end of your advanced config section. All you have to do is "comment" them out using pound signs at the beginning of a line and the text will not be read by OpenVPN, for instance: ##### AirVPN SERVER IP's ##### ##### Farud xxx.xxx.xxx.xxx ##### Menkib xxx.xxx.xxx.xxx ##### Phoenicis xxx.xxx.xxx.xxx You can keep a list of as many as you like, then just copy and paste as you need them.

It has been a while since I have used it, but if memory serves me well, the reason the Merlin firmware is so desirable is because it can use hardware acceleration as where tomato etc cannot. On a LAN this means full wire speed with merlin firmware while tomato may only be able to do 200-300 Mb. Last I read it also had been given some OpenVPN optimizations and achieved higher throughput through vpn then other firmwares. Tons of info on it over at the smallnetbuilder forum where RMerlin is active.

I don't recall what I wrote for the dns section for two nics and sadly am too lazy to look at the moment. Compare what i wrote for 3 or more nics to what i wrote for 2. You may need to play with it. Let us know. That being said... you can't use HAVP, Squid, dansgaurdian etc on the vpn side of things without creating IP leaks that are hard to detect and routing loops due to setting the VPN as default gateway. It has to do with the way pfSense routes proxied connections. I didn't learn this until recently while delving very deep into setting up an adblock style filter. proxies on pfSense currently do not support multiple WANs and it will pipe the proxied content to the default gateway. Just can't be done currently while also remaining secure and leak proof. I need to correct that portion in my preface where i say you can do this... I will soon enough. Also, don't waste your time with snort. Install Suricata instead. Suricata has multi-thread support and is the way forward.... it is newer and better than snort. There is a thread on how to set up suricata in the packages subforum over at the pfsense forums. Good luck with it.

I'm not sure I follow what you're saying. Are the packages not showing up on pfsense when you click the link for packages in the GUI? If that is the case, on the dashboard does it say "unable to connect" or does it say "you are on the latest version" or similar under the System Information -> Version area? If it says unable to connect or if it is not showing the packages list... your DNS for the firewall itself is likely not configured correctly. How many NICs are you using?